Making DoD Enterprise Email,

AKO, and other DoD websites

work with Internet Explorer on
your Windows computer.
Presented by: Michael J. Danberry
Last Revision / review: 04 December 2014

Performing these fixes in your Internet Explorer web

browser should fix most access problems.
Video version NOTE: (Video Doesnt go into as much
detail as this presentation)
Personnel utilizing this guide without CACs should only skip the pages marked: This page
is CAC Specific. CAC holders need to follow ALL slides.
The most up to date version of this presentation can be found at:
http://milcac.us/tweaks 1
 To successfully access DoD websites, you
need to have the latest Department of
Defense (DoD) certificates installed and run
the Cross Cert Removal Tool
Download links to the latest InstallRoot file can be
found on:
https://militarycac.com/dodcerts.htm
Note: It will not harm your computer to run this file more than once.

Download the Cross Cert Removal Tool from either of

the links on:
https://militarycac.com/activclient62update.htm
2
 Open Internet Explorer (IE) 9 - 11 (32 bit);
Make sure the page you are having problems
accessing is NOT open in any tabs or another IE
browser, Select Tools
You may also click the Alt & T keys on your computer keyboard

Image from Internet Explorer 9, 10, or 11

3
 Open Internet Explorer (IE) 6-8 (32 bit);
Make sure the page you are having problems
accessing is NOT open in any tabs or another IE
browser, Select Tools
You may also click the Alt & T keys on your computer keyboard

Image from Internet Explorer 8

4
Windows 8 / 8.1 users need to use the
Internet Explorer from the Desktop

NOT the one from the Start tiles

5
Select Internet Options in IE 9 - 11 after clicking
the gear

6
Select Internet Options in IE 6 - 11

7
 Check the Delete browsing history on exit (box)
(IE 11 users, See note below)
and then click the Delete (button)

NOTE: IE 11 users
may have problems
if you check this box.

8
Select the top 3 check boxes then click Delete

9
Click Settings

10
Change this number to 50, then click OK

NOTE: This is just my

personal
recommended size.
Making it smaller will
make your browser
look for an updated
page more often. The
larger it is, the more
web sites are being
stored on your
computer.

11
Click the Security (tab)(1), Trusted sites (green
checkmark)(2), then Sites (button)(3)
2
1
3

12
 Remove all websites that end in .mil from the
Websites: box by clicking the link, selecting
Remove, then clicking Close

NOTE: Some people will

This is the Websites: box
NOTE-1: Some
Government owned
computers will not let you
access this area to remove
the sites. Since you cant
make any changes, go to
the next slide.
argue that AKO should
be in the trusted sites.
Heres what Ive been
able to deduce: it IS
needed with IE 6 & 7,
however, if used with: IE
8, 9, 10, or 11 you will
be recycled to the AKO
home page. So, IE 8, 9,
10, and 11 users
REMOVE it.
13
Click the Content (tab), then Certificates (button)

Sometimes you
may need to click:
Clear SSL state (it
will not hurt your
system to click
this)

14
You should only see 3 DOD certificates (2 with
EMAIL and 1 without) under the Personal (tab).
If you see more than 3, look at slide 24 for
further instructions. Dual CAC holders will see a
4th certificate once their PIV is activated.

This page is CAC Specific

15
Click the Intermediate Certification Authorities (tab) and look for
the certificates shown in the blue graph below. IF you see any
of these on your computer, click it, then click Remove
Issued To Issued By Expiration
Common Policy Common Policy
DoD SHA-1 Federal
Interoperability Root CA
Root CA 1
DOD ROOT CA 2 DoD
Interoperability
Root CA 1
Entrust Common Policy

SHA-1 Federal Root Federal Common

CA Policy CA
VeriSign Digital ID Date is
Certificate Expired
If the above certificates return, run both of the
files below
- Cross Cert remover Automated file (you may
need to run as administrator) to remove
certificates Listed above: Another way to remove the certificates
Download from MilitaryCAC (13 AUG 14 version)
Download from DISA (13 AUG 14 version)
- This registry edit can help fix some certificate problems as well. Information about the
Download from MilitaryCAC (19 OCT 11 version)
Download from AKO (19 OCT 11 version) Cross Cert Remover 16
 Click the Connections (tab)(1), LAN settings
(button)(2), make sure none of the boxes are
checked(3) (Personal Computers only), then click OK
1

17
 Click the Advanced (tab), scroll to the bottom of the
list, check Empty Temporary Internet and make
sure that only SSL 3.0, TLS 1.0, 1.1, & 1.2 (see
NOTE2 below) are checked. SSL 2.0 is NOT checked

NOTE: If you are NOTE: Some

receiving the error: computers seem to refuse
Error 107 (net::ERR SSL to leave TLS 1.0 checked
PROTOCOL ERROR): SSL and SSL 2.0 unchecked. If
protocol error or this happens, click the
Unknown error you may Reset (button).
need to leave SSL 2
checked. NOTE2: The Air Forces
AROWS Website needs
TLS 1.1 & 1.2
NOTE: Windows XP
unchecked to be
and Vista users will not
accessed. So, if you are
see TLS 1.1 & 1.2, as
having problems with
they are only seen on
some sites, uncheck
Windows 7 & 8
these and try again. 18
Close Internet Explorer, reopen it and try logging
into a DoD CAC enabled website now

If it still does not work, close the browser and

reopen it one more time, then go to the next
slide.

19
 Compatibility View is needed with Internet
Explorer 8 - 11 to access government websites
like Web.mail.mil, OWA, NKO, DTS, and others
Look for the little torn paper icon and click it (IE 8-10 only)

Internet Explorer 11 users will not see the torn paper. Click Tools (or Alt & T keys
on your keyboard), Compatibility View Settings, and enter: mail.mil, army.mil,
osd.mil, and navy.mil in the Add this website: box. Click Add, then Close
The next slide shows images of how to do this

Further information regarding this issue can be read on Microsoft.com

http://support.microsoft.com/kb/2866064

20
 Reasons to do this:
--------
The website worked before but
not now
--------
Internet Explorer 11 is your
browser
--------
Add website to compatibility view

mail.mil

Easiest way to add is to go to the website then open mail.mil

osd.mil
compatibility view. The correct website should be army.mil
navy.mil
automatically inserted into the add location.
DoD Enterprise Email needs: mail.mil added
DTS needs: osd.mil added
Army websites need: army.mil added
Navy personnel need: navy.mil added

Internet Explorer 11 Compatibility View with

Windows 7, 8, and 8.1 21
If you are still having issues, you can uncheck "Enable Enhanced
Protected Mode*"
To try this option, Click Tools, Internet Options, Advanced (tab)

NOTE: Running Enhanced Protected

Mode* helps prevent attackers from
installing software or modifying
system settings if they manage to run
exploit code. It is an extra layer of
protection that locks down parts of
your system that your browser
ordinarily doesnt need to use.
- Unfortunately it blocks access to
some DoD websites.

22
 If the previous adjustments did not work, select
Reset at the bottom of the Advanced (tab), AND
what you see on the next page

23
You may need to Remove your certificates (see slide
15 for instructions on how to get to this location).
Remember, Dual persona personnel will have 4 certs
after they have activated their PIV certificate.

NOTE: You will

receive a message
stating: You cannot
decrypt data
encrypted using the
certificates. Select:
Yes

This page is CAC Specific

24
 Your certificates should automatically be available
to Windows when you remove and reinsert your CAC
into the reader, however
If you have ActivClient 6.2.0.x installed.. You can double click
the ActivClient icon (by your clock in the lower right corner
of your screen) now go to slide 27

If you dont see it there: Click Start, All Programs,

ActivIdentity, ActivClient, User Console. Now go to next
slide

Windows 7 & 8 / 8.1 native users will not see an ActivClient

icon, since you are not using it.
This page is CAC Specific
25
 Forget state for all cards in ActivClient 6.2.0.x,
this helps Dual CAC holders
Click Tools, Advanced, Forget state for all cards (twice)

DOE.JOHN.ANDREW.1111111111s

Make Certificates available to Windows...

Forget state for all cards

Go to next page to Make

Certificates available to
Windows
This page is CAC Specific
26
 How to make your certificates available to
Windows when using ActivClient 6.2.0.x
Click Tools, Advanced, Make Certificates available to Windows

DOE.JOHN.ANDREW.1111111111s

You should see

Images used from this message
DISAs JITC website
This page is CAC Specific
27
 Try these if you are still having issues:

Try using the 32 bit version of Internet Explorer (if youre

currently using 64 bit Windows)

Heres how to try the 32 bit IE:

Click Start, All Programs, Internet Explorer (NOT Internet
Explorer (64-bit)).
NOTE: When using Windows 8 or 8.1, this is normally the
Internet Explorer in Desktop mode (NOT the one in the start
tiles).

NOTE2: In very rare occasions, your time on your computer may

be off by more than the servers limit of 5 minutes. Please
check your clock and time zone. 28
Try logging into a CAC enabled DoD website with
your CAC, it should work

If all of the previous ideas did not work, please visit:

https://militarycac.com/cacdrivers.htm to start
troubleshooting your CAC reader

Presentation created and maintained by:

Michael J. Danberry
https://MilitaryCAC.com

If you still have questions, visit:

https://militarycac.com/questions.htm

29